Sequence
Summary
Quantstamp performed a security audit of the smart contracts implementing the Sequence NFT orderbook based on the code present in the listed repositories. In addition, specific contracts of two more repositories were audited: `contracts-library` and `wallet-contracts`. Sequence offers solutions to clients building web3 gaming apps. In its marketplace, users can trade ERC-721 and ERC-1155 tokens, creating listings and offers, and using ERC-20 tokens as payment. Users can use Sequence smart contracts to create ERC-20, ERC-721, and ERC-1155 tokens with extended functionalities (privileged roles), as well as contracts implementing public sales for them. Users of these contracts should be aware of the ability of the owners to upgrade them at any time, changing the implementation. Sequence also offers a smart wallet (out of the scope of this audit). In this audit, a recovery mechanism for the wallet was audited (`Trust.sol`). All issues and recommendations are discussed in the *Findings* section of this document. After that, recommendations about documentation are discussed. We strongly recommend addressing all the issues and adding tests to cover the proposed fixes before deployment. The documentation quality is good. Public and internal documentation was provided by the Sequence team. However, it is recommended to add detailed and updated public documentation focusing on the new features of the protocol. Regarding testing, all tests passed, and the project implements code coverage metrics except on one repository (`contracts-library`), failing due to a `StackTooDeep` error. We highly recommend improving the branch coverage to a minimum of `95%` and adding new tests to cover the proposed fixes. **Fix review:** The Sequence team has either fixed, mitigated, or acknowledged all issues found within the report, and provided new commits containing fixes for the issues found. The Sequence team added the ability to set custom royalties when trading ERC-721 and ERC-1155 tokens that do not implement ERC-2981. The `OrderBook` contract owner can set the fee percentage (up to 100%) and the recipient for each token contract.
